Developing New Approaches for Intrusion Detection in Converged Networks

An Intrusion Detection System (IDS) is an important evidence collection tool for network forensics analysis. An IDS operates by inspecting both inbound and outbound network activity and identifying suspicious patterns that may be indicative of a network attack. For each suspicious event, IDS software typically records information similar to statistics logged by firewalls and routers (e.g., date and time, source and destination IP addresses, protocol, and basic protocol characteristics), as well as application-specific information (e.g., username, filename, command, and status code). IDS software also records information that indicates the possible intent of the activity [Gra05]. IDS data is often the starting point for examining suspicious activity. Not only do IDSs typically attempt to identify malicious network traffic at all transmission control protocol/Internet protocol (TCP/IP) layers, they also can log many data fields (including raw packets) that can be useful in validating events and correlating them with other data sources [Ken06]. IDSs are classified into two categories—anomaly detection and misuse (knowledge-based) detection. Anomaly detection systems require the building of profiles for the traffic that commonly traverses a given network. This profile defines an established baseline for the communication and data exchange that is normally seen over a period of time. These systems have several drawbacks: the IDS alerts are not well adapted for forensics investigation (i.e., sometimes vague), they are complicated (i.e., cannot be communicated easily to nontechnical people), and have a high false negative rate. In contrast, misuse detection methods, also known as signature-based detection, look for intrusive activity that matches specific signatures. These signatures are based on a set of rules that match typical patterns and exploits used by attackers to gain access to a network [Fer05]. The disadvantage with misuse detection systems is that without a signature, a new attack method will not be detected until a signature can be generated and incorporated. VoIP has had a strong effect on tactical networks by allowing human voice and video to travel over existing packet data networks with traditional data packets. Among the several issues that need to be addressed when deploying this technology, security is perhaps the most critical. General security mechanisms, such as firewalls and Intrusion Detection Systems (IDS), cannot detect or prevent all attacks. Current techniques to detect and counter